What is the GDPR?
The EU General Data Protection Regulation (GDPR) is the world’s strictest data protection law. It is by far the most important change in data privacy regulation in 20 years. It provides data protection for all individuals in the European Union.
The GDPR replaces an existing ‘Directive’ on data protection that was issued in 1995, with a new legally enforceable ‘Regulation’ that addresses the collection, use, processing and transfer of personal data of European Union (EU) citizens.
The GDPR is in effect from 25 May 2018.
How does it affect individuals and their personal data?
The GDPR aims to protect EU citizens from privacy breaches in an increasingly data-driven world that is today vastly different from the time in 1995 when the earlier data protection Directive was established.
It strengthens data protection rights for individuals, giving EU citizens more control over their personal data, and harmonizing the regulatory environment for organizations using such data across the European Union.
Key requirements of GDPR
Unvired, as a responsible organization, understands the expectations and is committed to compliance with the GDPR regulation.
At a high level, GDPR requires the following:
- A transparent and complete disclosure of how data is collected and processed.
- Providing complete control to individuals with respect to their personal data.
- Obtaining valid consent from all our respondents and panelist.
- Implementation of a Data Retention policy so as not to retain personal data longer than necessary.
- Implementation of technical and organizational information security measures to protect the data.
What GDPR means for Unvired?
We have undertaken a detailed analysis to understand the enhancements required to our privacy framework.
Unvired is considered as a ‘Data Processor’ when it processes personal data on behalf of a data controller. This will typically happen when you use Unvired products and services.
Unvired is a ‘Data Controller’ when we collect the data for billing, marketing or sales prospecting etc.
Unvired as a processor and controller commit to protecting personal data as mandated in EU GDPR.
Completion of Comprehensive Gap Analysis
We have undertaken a detailed analysis to understand the enhancements required to our privacy framework. We are glad to inform you that we have remediated most of the critical gaps.
Privacy Policy
GDPR place an emphasis on making privacy policies understandable and accessible. The GDPR says that the information provided to individuals about how we process their personal data must be concise, transparent, intelligible and easily accessible. It should also be written in clear and plain language.
We have reviewed our existing privacy policy and replaced with a GDPR compliance privacy policy. Our privacy policy spells out exactly how we collect data and use it, among other disclosures and what rights you have as a customer or a respondent.
Data Mapping, Data Inventory, and Lawful Basis
We have completed data inventory and data mapping exercises to identify all the personal data that we collect and use. Against this, we have identified all processing activities and also identified a lawful basis for each of these processing activities.
Privacy Framework
As a high growth organization, we realize the importance of building a culture that accepts and appreciates privacy. Our Privacy governance includes periodic senior management meetings to evaluate the status of the privacy framework.
We have developed the website and external facing privacy policy. We have also developed internal privacy policies that include Data Breach Response Plan, Breach related templates, DPIA Framework, Self Assessment Framework and Retention Policy. We are committed to complying with GDPR and have all the components necessary to meet compliance.
Data Processing Addendums and Cross-Border Transfers
While we aim to limit the sharing of your data, at times, it is necessary to share your data with certain service providers such as hosting services, customer relationship management, and email marketing services. We use third-party tools such as Constant Contact, HubSpot for sending emails and follow-up on leads. These third parties do not share the data further and use it only for the purpose of providing subscribed services.
We have appropriate data processing addendums (DPA) with most of them. These third parties have published data privacy addendum relating to the data processed by them.
To Comply with Laws- If we receive a request for information, we may disclose if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.
We have also started to enter into DPA with our customers to provide them sufficient guarantees as required under GDPR. We offer our DPA to our customers to help them meet GDPR requirements.
We offer EU model Contract Clauses / Standard Contract Clauses for any cross-border transfers.
Technical and Organisational measures (TOMs)
Our Information Security practices are adequate to the size and operations of the company. We use cloud service from a European cloud service provider who has the data center in North America. These are physically secured and only accessible to restricted people.
Logical access to personal data is restricted and limited to the IT department and staff working on those specific projects. Our operations floor is physically secured and accessible only to staff.
Training and Awareness
All our operational employees have undergone an hour of awareness training on the importance of Data Protection and GDPR.
Confidentiality Commitment
At Unvired, we sign a Non-Disclosure Agreement (NDA) with all new joiners that ensures confidentiality and privacy of personal data.
Contacts
If you have any further questions on our readiness to GDPR and privacy framework please contact at privacy@unvired.com.